Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/66492?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/66492?format=api", "purl": "pkg:composer/magento/community-edition@2.4.6-p1", "type": "composer", "namespace": "magento", "name": "community-edition", "version": "2.4.6-p1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.4.6-p13", "latest_non_vulnerable_version": "2.4.9-alpha3", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47458?format=api", "vulnerability_id": "VCID-b4jg-dj1a-9qd5", "summary": "Magento Open Source allows Cross-Site Scripting (XSS)\nAdobe Commerce versions 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Confidentiality and integrity are considered high due to having admin impact.", "references": [ { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-18.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://helpx.adobe.com/security/products/magento/apsb24-18.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20759", "reference_id": "CVE-2024-20759", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20759" }, { "reference_url": "https://github.com/advisories/GHSA-59vf-hjxc-f9c5", "reference_id": "GHSA-59vf-hjxc-f9c5", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-59vf-hjxc-f9c5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69697?format=api", "purl": "pkg:composer/magento/community-edition@2.4.6-p5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.6-p5" }, { "url": "http://public2.vulnerablecode.io/api/packages/67321?format=api", "purl": "pkg:composer/magento/community-edition@2.4.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cafy-5dd8-rudj" }, { "vulnerability": "VCID-dj5a-35gt-u7dn" }, { "vulnerability": "VCID-kxnm-y19k-mqg2" }, { "vulnerability": "VCID-qfw5-3tdu-x7g4" }, { "vulnerability": "VCID-qrwc-3gsb-zkfy" }, { "vulnerability": "VCID-r7nh-arcj-8fb3" }, { "vulnerability": "VCID-rf6p-ct86-5bgz" }, { "vulnerability": "VCID-th7y-aj51-mbaj" }, { "vulnerability": "VCID-y4r1-yr69-uuf6" }, { "vulnerability": "VCID-yyq6-dvyx-3bb9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.7" } ], "aliases": [ "CVE-2024-20759", "GHSA-59vf-hjxc-f9c5" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b4jg-dj1a-9qd5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45803?format=api", "vulnerability_id": "VCID-cgwk-hn4t-n7c1", "summary": "Magento Open Source allows Incorrect Authorization\nAdobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by an Incorrect Authorization vulnerability that could lead to a Security feature bypass. A low-privileged attacker could leverage this vulnerability to access other user's data. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-42.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://helpx.adobe.com/security/products/magento/apsb23-42.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38209", "reference_id": "CVE-2023-38209", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38209" }, { "reference_url": "https://github.com/advisories/GHSA-3vg2-v639-6ch9", "reference_id": "GHSA-3vg2-v639-6ch9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3vg2-v639-6ch9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66493?format=api", "purl": "pkg:composer/magento/community-edition@2.4.6-p2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.6-p2" } ], "aliases": [ "CVE-2023-38209", "GHSA-3vg2-v639-6ch9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cgwk-hn4t-n7c1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47017?format=api", "vulnerability_id": "VCID-j124-q39m-mkby", "summary": "Magento Open Source allows Cross-Site Request Forgery (CSRF)\nAdobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to trick a victim into performing actions they did not intend to do, which could be used to bypass security measures and gain unauthorized access. Exploitation of this issue requires user interaction, typically in the form of the victim clicking a link or visiting a malicious website.", "references": [ { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-03.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://helpx.adobe.com/security/products/magento/apsb24-03.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20718", "reference_id": "CVE-2024-20718", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20718" }, { "reference_url": "https://github.com/advisories/GHSA-hqgj-4396-hmxv", "reference_id": "GHSA-hqgj-4396-hmxv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hqgj-4396-hmxv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68969?format=api", "purl": "pkg:composer/magento/community-edition@2.4.6-p4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.6-p4" } ], "aliases": [ "CVE-2024-20718", "GHSA-hqgj-4396-hmxv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j124-q39m-mkby" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47019?format=api", "vulnerability_id": "VCID-j5vp-2jrx-ukf4", "summary": "Magento Open Source allows Cross-Site Scripting (XSS)\nAdobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin attacker to inject malicious scripts into every admin page. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field, that could be leveraged to gain admin access.", "references": [ { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-03.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://helpx.adobe.com/security/products/magento/apsb24-03.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20719", "reference_id": "CVE-2024-20719", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20719" }, { "reference_url": "https://github.com/advisories/GHSA-264g-f7v8-q5qq", "reference_id": "GHSA-264g-f7v8-q5qq", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-264g-f7v8-q5qq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68969?format=api", "purl": "pkg:composer/magento/community-edition@2.4.6-p4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.6-p4" } ], "aliases": [ "CVE-2024-20719", "GHSA-264g-f7v8-q5qq" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j5vp-2jrx-ukf4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45809?format=api", "vulnerability_id": "VCID-jhd5-tqph-3ufu", "summary": "Magento Open Source allows Improper Neutralization of Special Elements Used\nAdobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead to arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-42.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://helpx.adobe.com/security/products/magento/apsb23-42.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38208", "reference_id": "CVE-2023-38208", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38208" }, { "reference_url": "https://github.com/advisories/GHSA-mxc9-g6m4-2v35", "reference_id": "GHSA-mxc9-g6m4-2v35", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mxc9-g6m4-2v35" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66493?format=api", "purl": "pkg:composer/magento/community-edition@2.4.6-p2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.6-p2" } ], "aliases": [ "CVE-2023-38208", "GHSA-mxc9-g6m4-2v35" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jhd5-tqph-3ufu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46203?format=api", "vulnerability_id": "VCID-kxnm-y19k-mqg2", "summary": "Magento Open Source allows Server-Side Request Forgery (SSRF)\nAdobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A high-privileged authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction, scope is changed due to the fact that an attacker can enforce file read outside the application's path boundary.", "references": [ { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26366", "reference_id": "CVE-2023-26366", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26366" }, { "reference_url": "https://github.com/advisories/GHSA-8jxc-5f94-22vh", "reference_id": "GHSA-8jxc-5f94-22vh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8jxc-5f94-22vh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67323?format=api", "purl": "pkg:composer/magento/community-edition@2.4.6-p3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.6-p3" }, { "url": "http://public2.vulnerablecode.io/api/packages/67322?format=api", "purl": "pkg:composer/magento/community-edition@2.4.7-beta2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.7-beta2" } ], "aliases": [ "CVE-2023-26366", "GHSA-8jxc-5f94-22vh" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kxnm-y19k-mqg2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46201?format=api", "vulnerability_id": "VCID-m83v-51cy-uqar", "summary": "Magento Open Source allows Incorrect Authorization\nAdobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation.", "references": [ { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38218", "reference_id": "CVE-2023-38218", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38218" }, { "reference_url": "https://github.com/advisories/GHSA-rpc7-gf58-v3x2", "reference_id": "GHSA-rpc7-gf58-v3x2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-rpc7-gf58-v3x2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67323?format=api", "purl": "pkg:composer/magento/community-edition@2.4.6-p3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.6-p3" }, { "url": "http://public2.vulnerablecode.io/api/packages/67322?format=api", "purl": "pkg:composer/magento/community-edition@2.4.7-beta2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.7-beta2" } ], "aliases": [ "CVE-2023-38218", "GHSA-rpc7-gf58-v3x2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m83v-51cy-uqar" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47021?format=api", "vulnerability_id": "VCID-msac-ptqf-pyg1", "summary": "Magento Open Source allows OS Command Injection\nAdobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-03.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://helpx.adobe.com/security/products/magento/apsb24-03.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20720", "reference_id": "CVE-2024-20720", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20720" }, { "reference_url": "https://github.com/advisories/GHSA-525f-pvj5-vqmq", "reference_id": "GHSA-525f-pvj5-vqmq", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-525f-pvj5-vqmq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68969?format=api", "purl": "pkg:composer/magento/community-edition@2.4.6-p4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.6-p4" } ], "aliases": [ "CVE-2024-20720", "GHSA-525f-pvj5-vqmq" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-msac-ptqf-pyg1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47020?format=api", "vulnerability_id": "VCID-p222-28c1-vfhy", "summary": "Magento Open Source allows Uncontrolled Resource Consumption\nAdobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to an application denial-of-service. A high-privileged attacker could leverage this vulnerability to exhaust system resources, causing the application to slow down or crash. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-03.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://helpx.adobe.com/security/products/magento/apsb24-03.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20716", "reference_id": "CVE-2024-20716", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20716" }, { "reference_url": "https://github.com/advisories/GHSA-c9h9-h5gf-885r", "reference_id": "GHSA-c9h9-h5gf-885r", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-c9h9-h5gf-885r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68969?format=api", "purl": "pkg:composer/magento/community-edition@2.4.6-p4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.6-p4" } ], "aliases": [ "CVE-2024-20716", "GHSA-c9h9-h5gf-885r" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p222-28c1-vfhy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46196?format=api", "vulnerability_id": "VCID-qfw5-3tdu-x7g4", "summary": "Magento Open Source has Improper Input Validation Vulnerability\nAdobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26367", "reference_id": "CVE-2023-26367", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26367" }, { "reference_url": "https://github.com/advisories/GHSA-9mx6-4gg4-85xj", "reference_id": "GHSA-9mx6-4gg4-85xj", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9mx6-4gg4-85xj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67323?format=api", "purl": "pkg:composer/magento/community-edition@2.4.6-p3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.6-p3" }, { "url": "http://public2.vulnerablecode.io/api/packages/67322?format=api", "purl": "pkg:composer/magento/community-edition@2.4.7-beta2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.7-beta2" } ], "aliases": [ "CVE-2023-26367", "GHSA-9mx6-4gg4-85xj" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qfw5-3tdu-x7g4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46191?format=api", "vulnerability_id": "VCID-r7nh-arcj-8fb3", "summary": "Magento Open Source allows Uncontrolled Resource Consumption\nAdobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Uncontrolled Resource Consumption vulnerability that could lead into a minor application denial-of-service. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38251", "reference_id": "CVE-2023-38251", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38251" }, { "reference_url": "https://github.com/advisories/GHSA-7pfc-834q-h497", "reference_id": "GHSA-7pfc-834q-h497", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7pfc-834q-h497" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67323?format=api", "purl": "pkg:composer/magento/community-edition@2.4.6-p3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.6-p3" }, { "url": "http://public2.vulnerablecode.io/api/packages/67322?format=api", "purl": "pkg:composer/magento/community-edition@2.4.7-beta2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.7-beta2" } ], "aliases": [ "CVE-2023-38251", "GHSA-7pfc-834q-h497" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r7nh-arcj-8fb3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46199?format=api", "vulnerability_id": "VCID-rbjk-3gcs-2qb5", "summary": "Magento Open Source allows Improper Authorization\nAdobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Authorization vulnerability that could lead in a security feature bypass in a way that an attacker could access unauthorised data. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38220", "reference_id": "CVE-2023-38220", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38220" }, { "reference_url": "https://github.com/advisories/GHSA-grc6-r6f8-xj7c", "reference_id": "GHSA-grc6-r6f8-xj7c", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-grc6-r6f8-xj7c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67323?format=api", "purl": "pkg:composer/magento/community-edition@2.4.6-p3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.6-p3" }, { "url": "http://public2.vulnerablecode.io/api/packages/67322?format=api", "purl": "pkg:composer/magento/community-edition@2.4.7-beta2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.7-beta2" } ], "aliases": [ "CVE-2023-38220", "GHSA-grc6-r6f8-xj7c" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rbjk-3gcs-2qb5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46192?format=api", "vulnerability_id": "VCID-rf6p-ct86-5bgz", "summary": "Magento Open Source allows SQL Injection\nAdobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction and attack complexity is high as it requires knowledge of tooling beyond just using the UI.", "references": [ { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38249", "reference_id": "CVE-2023-38249", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38249" }, { "reference_url": "https://github.com/advisories/GHSA-rq36-9f5f-2gw7", "reference_id": "GHSA-rq36-9f5f-2gw7", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-rq36-9f5f-2gw7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67323?format=api", "purl": "pkg:composer/magento/community-edition@2.4.6-p3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.6-p3" }, { "url": "http://public2.vulnerablecode.io/api/packages/67322?format=api", "purl": "pkg:composer/magento/community-edition@2.4.7-beta2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.7-beta2" } ], "aliases": [ "CVE-2023-38249", "GHSA-rq36-9f5f-2gw7" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rf6p-ct86-5bgz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47435?format=api", "vulnerability_id": "VCID-ruru-fwmn-5kes", "summary": "Magento Open Source allows Improper Input Validation\nAdobe Commerce versions 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction, but the attack complexity is high.", "references": [ { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-18.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://helpx.adobe.com/security/products/magento/apsb24-18.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20758", "reference_id": "CVE-2024-20758", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20758" }, { "reference_url": "https://github.com/advisories/GHSA-wh4m-6rh3-p4rq", "reference_id": "GHSA-wh4m-6rh3-p4rq", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wh4m-6rh3-p4rq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69697?format=api", "purl": "pkg:composer/magento/community-edition@2.4.6-p5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.6-p5" }, { "url": "http://public2.vulnerablecode.io/api/packages/67321?format=api", "purl": "pkg:composer/magento/community-edition@2.4.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cafy-5dd8-rudj" }, { "vulnerability": "VCID-dj5a-35gt-u7dn" }, { "vulnerability": "VCID-kxnm-y19k-mqg2" }, { "vulnerability": "VCID-qfw5-3tdu-x7g4" }, { "vulnerability": "VCID-qrwc-3gsb-zkfy" }, { "vulnerability": "VCID-r7nh-arcj-8fb3" }, { "vulnerability": "VCID-rf6p-ct86-5bgz" }, { "vulnerability": "VCID-th7y-aj51-mbaj" }, { "vulnerability": "VCID-y4r1-yr69-uuf6" }, { "vulnerability": "VCID-yyq6-dvyx-3bb9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.7" } ], "aliases": [ "CVE-2024-20758", "GHSA-wh4m-6rh3-p4rq" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ruru-fwmn-5kes" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46193?format=api", "vulnerability_id": "VCID-s5e2-d6n8-kkbr", "summary": "Magento Open Source allows Cross-Site Scripting (XSS)\nAdobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Payload is stored in an admin area, resulting in high confidentiality and integrity impact.", "references": [ { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38219", "reference_id": "CVE-2023-38219", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38219" }, { "reference_url": "https://github.com/advisories/GHSA-3j7w-jp46-9752", "reference_id": "GHSA-3j7w-jp46-9752", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3j7w-jp46-9752" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67323?format=api", "purl": "pkg:composer/magento/community-edition@2.4.6-p3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.6-p3" }, { "url": "http://public2.vulnerablecode.io/api/packages/67322?format=api", "purl": "pkg:composer/magento/community-edition@2.4.7-beta2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.7-beta2" } ], "aliases": [ "CVE-2023-38219", "GHSA-3j7w-jp46-9752" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s5e2-d6n8-kkbr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45808?format=api", "vulnerability_id": "VCID-w3zd-fezc-nuhd", "summary": "Magento Open Source allows XML Injection\nAdobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by a XML Injection (aka Blind XPath Injection) vulnerability that could lead in minor arbitrary file system read. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-42.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://helpx.adobe.com/security/products/magento/apsb23-42.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38207", "reference_id": "CVE-2023-38207", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38207" }, { "reference_url": "https://github.com/advisories/GHSA-rpv2-g4pc-wp72", "reference_id": "GHSA-rpv2-g4pc-wp72", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-rpv2-g4pc-wp72" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66493?format=api", "purl": "pkg:composer/magento/community-edition@2.4.6-p2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.6-p2" } ], "aliases": [ "CVE-2023-38207", "GHSA-rpv2-g4pc-wp72" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w3zd-fezc-nuhd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46190?format=api", "vulnerability_id": "VCID-y4r1-yr69-uuf6", "summary": "Magento Open Source allows SQL Injection\nAdobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction and attack complexity is high as it requires knowledge of tooling beyond just using the UI.", "references": [ { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38250", "reference_id": "CVE-2023-38250", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38250" }, { "reference_url": "https://github.com/advisories/GHSA-h3g9-cwr6-hphx", "reference_id": "GHSA-h3g9-cwr6-hphx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-h3g9-cwr6-hphx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67323?format=api", "purl": "pkg:composer/magento/community-edition@2.4.6-p3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.6-p3" }, { "url": "http://public2.vulnerablecode.io/api/packages/67322?format=api", "purl": "pkg:composer/magento/community-edition@2.4.7-beta2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.7-beta2" } ], "aliases": [ "CVE-2023-38250", "GHSA-h3g9-cwr6-hphx" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y4r1-yr69-uuf6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46200?format=api", "vulnerability_id": "VCID-zt9b-9sjx-7qb4", "summary": "Magento Open Source allows SQL Injection\nAdobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction and attack complexity is high as it requires knowledge of tooling beyond just using the UI.", "references": [ { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38221", "reference_id": "CVE-2023-38221", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38221" }, { "reference_url": "https://github.com/advisories/GHSA-ggr8-3hwx-4f2m", "reference_id": "GHSA-ggr8-3hwx-4f2m", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-ggr8-3hwx-4f2m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67323?format=api", "purl": "pkg:composer/magento/community-edition@2.4.6-p3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.6-p3" }, { "url": "http://public2.vulnerablecode.io/api/packages/67322?format=api", "purl": "pkg:composer/magento/community-edition@2.4.7-beta2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.7-beta2" } ], "aliases": [ "CVE-2023-38221", "GHSA-ggr8-3hwx-4f2m" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zt9b-9sjx-7qb4" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.6-p1" }